Jan 7, 2011 08:23 GMT  ·  By

Microsoft announced that it doesn't plan to patch two publicly known 0-day vulnerabilities in Internet Explorer and Windows during this month's Patch Tuesday.

Next week, on January 11, the Redmond software giant is scheduled to release its monthly batch of security bulletins, however, it will leave out some of the most serious issues.

One of the two bulletins announced for next Tuesday affects only Windows Vista and is rated as Important, while the other affects all supported Windows versions and has a severity rating of critical.

On the other hand, these bulletins will not cover an actively exploited vulnerability affecting Internet Explorer 6, 7 and 8 on all Windows flavors.

Identified as CVE-2010-3971, the flaw consists of an use-after-free memory error in the mshtml.dll library and can be exploited to execute arbitrary code remotely.

Moreover, in the later half of December, a group called Abysssec Security Research announced a reliable exploit for this vulnerability that bypasses the DEP and ASLR protection mechanisms in Windows.

According to Carlene Chmaj, senior response communications manager with Microsoft's Trustworthy Computing Group, targeted attacks exploiting this vulnerability have already been spotted in the wild.

However, to the dissatisfaction of many security researchers, Microsoft does not rush out patches if the threat is not widespread. The company provides mitigation solutions for this flaw in Security Advisory 2488013.

A second critical vulnerability that will remain unpatched is located in the Graphics Rendering Engine and affects all Windows versions except Windows 7 and Server 2008 R2.

This flaw was disclosed as a zero-day at a security conference in Korea last month and was confirmed by Microsoft earlier this week in Security Advisory 2490606.

In addition, there could be another unconfirmed 0-day vulnerability in Internet Explorer, disclosed by Google security researcher Michal Zalewski at the beginning of this year.